CVE-2015-8935
Description
PHP header() function's deprecated line folding allows XSS against Internet Explorer via %0A%20 or %0D%0A%20 sequences.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PHP header() function's deprecated line folding allows XSS against Internet Explorer via %0A%20 or %0D%0A%20 sequences.
Vulnerability
The sapi_header_op function in main/SAPI.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 supports deprecated line folding in HTTP headers (as per RFC 2616) without considering browser compatibility. Internet Explorer treats %0A%20 (LF + space) or %0D%0A%20 (CRLF + space) as a new header separator, while other browsers interpret it as continuation of the previous header. This allows remote attackers to inject arbitrary HTTP headers or content, leading to cross-site scripting (XSS) against Internet Explorer. The issue is documented as PHP bug #68978 [2][3].
Exploitation
An attacker must be able to control a portion of an HTTP header value passed to PHP's header() function. No authentication or special network position is required; the attacker can exploit the vulnerability remotely. By injecting %0A%20 or %0D%0A%20 into the header value, the attacker can cause Internet Explorer to interpret the following text as a new header line. For example, injecting %0D%0A%20Set-Cookie: session=malicious or %0D%0A%20 can achieve header injection or content injection, resulting in XSS [2][3].
Impact
Successful exploitation allows an attacker to perform cross-site scripting (XSS) attacks against users of Internet Explorer. This can lead to theft of session cookies, content injection, or other malicious actions in the context of the affected web application. The impact is limited to Internet Explorer due to its non-standard handling of folded headers; other browsers treat the injected sequences as whitespace continuation [2][3].
Mitigation
PHP patched this issue in versions 5.4.38, 5.5.22, and 5.6.6 by removing support for line folding in header values, aligning with RFC 7230. The fix commits are available in the PHP source repository [4]. Red Hat provided an update for rh-php56 to version 5.6.25 as part of RHSA-2016:2750 [1]. Users should upgrade to the patched versions or apply the corresponding vendor updates. No workaround is available if the patch cannot be applied. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
53cpe:2.3:a:php:php:*:*:*:*:*:*:*:*+ 46 more
- cpe:2.3:a:php:php:*:*:*:*:*:*:*:*range: <=5.4.37
- cpe:2.3:a:php:php:5.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.5.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.5.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.5.0:alpha3:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.5.0:alpha4:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.5.0:alpha5:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.5.0:alpha6:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.5.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.5.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.5.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.5.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.5.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.5.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.5.10:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.5.11:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.5.12:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.5.13:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.5.14:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.5.18:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.5.19:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.5.20:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.5.21:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.5.9:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.6.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.6.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.6.0:alpha3:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.6.0:alpha4:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.6.0:alpha5:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.6.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.6.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.6.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.6.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.6.5:*:*:*:*:*:*:*
- (no CPE)range: <5.4.38, <5.5.22, <5.6.6
- osv-coords6 versionspkg:rpm/suse/php53&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/php53&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/php53&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4pkg:rpm/suse/php5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/php5&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP2-LTSSpkg:rpm/suse/php5&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP1
< 5.3.17-74.1+ 5 more
- (no CPE)range: < 5.3.17-74.1
- (no CPE)range: < 5.3.17-74.1
- (no CPE)range: < 5.3.17-74.1
- (no CPE)range: < 5.5.14-68.1
- (no CPE)range: < 5.2.14-0.7.30.89.1
- (no CPE)range: < 5.5.14-68.1
Patches
1996faf964bbaUpdate header handling to RFC 7230
4 files changed · +12 −16
ext/standard/tests/general_functions/bug60227_2.phpt+4 −3 modified@@ -1,14 +1,15 @@ --TEST-- Bug #60227 (header() cannot detect the multi-line header with CR), \r before \n +--INI-- +expose_php=0 --FILE-- <?php header("X-foo: e\n foo"); -header("X-Foo6: e\rSet-Cookie: ID=123\n d"); echo 'foo'; ?> --EXPECTF-- + Warning: Header may not contain more than a single header, new line detected in %s on line %d foo --EXPECTHEADERS-- -X-foo: e -foo +Content-type: text/html; charset=UTF-8
ext/standard/tests/general_functions/bug60227_3.phpt+3 −3 modified@@ -1,14 +1,14 @@ --TEST-- Bug #60227 (header() cannot detect the multi-line header with CR), \0 before \n +--INI-- +expose_php=0 --FILE-- <?php -header("X-foo: e\n foo"); header("X-Foo6: e\0Set-Cookie: ID=\n123\n d"); echo 'foo'; ?> --EXPECTF-- Warning: Header may not contain NUL bytes in %s on line %d foo --EXPECTHEADERS-- -X-foo: e -foo +Content-type: text/html; charset=UTF-8
ext/standard/tests/general_functions/bug60227_4.phpt+3 −3 modified@@ -1,14 +1,14 @@ --TEST-- Bug #60227 (header() cannot detect the multi-line header with CR), CRLF +--INI-- +expose_php=0 --FILE-- <?php -header("X-foo: e\r\n foo"); header("X-foo: e\r\nfoo"); echo 'foo'; ?> --EXPECTF-- Warning: Header may not contain more than a single header, new line detected in %s on line %d foo --EXPECTHEADERS-- -X-foo: e - foo +Content-type: text/html; charset=UTF-8
main/SAPI.c+2 −7 modified@@ -743,13 +743,8 @@ SAPI_API int sapi_header_op(sapi_header_op_enum op, void *arg TSRMLS_DC) /* new line/NUL character safety check */ int i; for (i = 0; i < header_line_len; i++) { - /* RFC 2616 allows new lines if followed by SP or HT */ - int illegal_break = - (header_line[i+1] != ' ' && header_line[i+1] != '\t') - && ( - header_line[i] == '\n' - || (header_line[i] == '\r' && header_line[i+1] != '\n')); - if (illegal_break) { + /* RFC 7230 ch. 3.2.4 deprecates folding support */ + if (header_line[i] == '\n' || header_line[i] == '\r') { efree(header_line); sapi_module.sapi_error(E_WARNING, "Header may not contain " "more than a single header, new line detected");
Vulnerability mechanics
Root cause
"PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 supported deprecated line folding in headers, which Internet Explorer interpreted differently than other browsers."
Attack vector
Remote attackers can conduct cross-site scripting (XSS) attacks against Internet Explorer by sending specially crafted HTTP headers. Internet Explorer interprets `%0A%20` or `%0D%0A%20` as a header separator, while other browsers treat it as a continuation of the previous header. This allows for header injection or content injection, leading to XSS when the client is Internet Explorer [ref_id=1].
Affected code
The vulnerability exists in the `sapi_header_op` function within `main/SAPI.c`. The function previously allowed newlines if followed by a space or tab, a behavior that was deprecated by RFC 7230 but still interpreted by Internet Explorer in a way that enabled XSS attacks [ref_id=1][patch_id=4376623].
What the fix does
The patch updates header handling to comply with RFC 7230, which deprecates line folding support. The code now checks for newline characters (`\n` or `\r`) within header lines and rejects them, preventing the interpretation of malformed headers that could lead to XSS in Internet Explorer [patch_id=4376623]. This change aligns PHP's header processing with modern RFC standards and removes the vulnerability.
Preconditions
- inputThe attacker must send a header containing `%0A%20` or `%0D%0A%20`.
- networkThe vulnerable PHP application must be accessible over the network.
- inputThe target client must be using Internet Explorer.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- www.openwall.com/lists/oss-security/2016/06/20/3nvdMailing ListPatch
- github.com/php/php-src/commit/996faf964bba1aec06b153b370a7f20d3dd2bb8bnvdIssue TrackingPatch
- bugs.php.net/bug.phpnvdIssue TrackingVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2016-07/msg00004.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2016-08/msg00025.htmlnvd
- lists.opensuse.org/opensuse-updates/2016-08/msg00003.htmlnvd
- rhn.redhat.com/errata/RHSA-2016-2750.htmlnvd
News mentions
0No linked articles in our index yet.